Merge pull request #523 from frappe/mergify/bp/master/pr-522

Aradhya-Tripathi · web-flow · commit f91025d67f53 · 2026-05-21T15:56:51.000+05:30
fix(build): Ensure public keys are used correctly (backport #522)
diff --git a/agent/build_configs/sshd_config b/agent/build_configs/sshd_config
@@ -0,0 +1,67 @@
+ListenAddress 0.0.0.0
+PidFile /home/frappe/frappe-bench/config/ssh/sshd.pid
+Port 2200
+
+
+# Logging
+LogLevel VERBOSE
+SyslogFacility AUTH
+
+
+# Authentication
+PermitRootLogin no
+StrictModes yes
+
+AuthenticationMethods publickey
+PubkeyAuthentication yes
+
+
+# Disable Other Authentication Methods
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+HostbasedAuthentication no
+KbdInteractiveAuthentication no
+KerberosAuthentication no
+PasswordAuthentication no
+PermitEmptyPasswords no
+UsePAM no
+
+
+# Certificates
+AuthorizedKeysFile none
+TrustedUserCAKeys /home/frappe/frappe-bench/config/ssh/ca.pub
+AuthorizedPrincipalsFile /home/frappe/frappe-bench/config/ssh/principals
+
+HostKey /home/frappe/frappe-bench/config/ssh/ssh_host_rsa_key
+HostCertificate /home/frappe/frappe-bench/config/ssh/ssh_host_rsa_key-cert.pub 
+
+
+# Capability Limits
+AllowAgentForwarding no
+AllowStreamLocalForwarding no
+AllowTcpForwarding no
+
+GatewayPorts no
+
+PermitListen none
+PermitOpen none
+
+PermitTunnel no
+PermitUserEnvironment no
+PermitUserRC no
+
+PrintMotd no
+
+X11Forwarding no
+X11UseLocalhost yes
+
+
+# Interactive Terminal
+PermitTTY yes
+
+
+# Rate Limit
+LoginGraceTime 20
+MaxAuthTries 3
+MaxSessions 10
+MaxStartups 10:30:100
diff --git a/agent/builder.py b/agent/builder.py
@@ -175,9 +175,13 @@ def _write_ssh_key_files(self, config_dir: str):
         ssh_dir = os.path.join(config_dir, "ssh")
         os.makedirs(ssh_dir, exist_ok=True)
 
+        shutil.copy(os.path.join(self.build_config_path, "config", "ssh", "sshd_config"), ssh_dir)
+
         host = self.ssh_keys["host"]
         with open(os.path.join(ssh_dir, "ssh_host_rsa_key"), "w") as f:
             f.write(host["private_key"])
+        with open(os.path.join(ssh_dir, "ssh_host_rsa_key.pub"), "w") as f:
+            f.write(host["public_key"])
         with open(os.path.join(ssh_dir, "ssh_host_rsa_key-cert.pub"), "w") as f:
             f.write(host["certificate"])
         with open(os.path.join(ssh_dir, "ca.pub"), "w") as f:
